I was hoping to post this as a tutorial when I got it figured out. but I'm still having a little trouble. Below are the steps I've gone through to get to this point. When I attempt to connect to the VPN I recieve the following error message on Windows 7

Error 0x80096004: The signature of the certificate cannot be verified.

I have deleted and recreated the Certs and keys with OpenSSL 3 times. Can anyone see what I'm doing wrong?
I am also trying to connect from inside the network which has worked for PPTP and L2TP in the past. Maybe I should try it from outside...

I'm also getting Warning Code 3 when running openssl x509 -noout -text -in server.crt -purpose I assume this this was due to being a self signed cert but couldn't find anything that confirmed that.

Here should be some other relevant information sanitized information


/ip address
add address=10.2.2.1/24 interface=ether1 network=10.2.2.0

add address=x.x.x.9/32 interface=ether24 network=x.x.x.0
/ip cloud
set ddns-enabled=yes



First create SSL Certs and upload

First step is to build the CA private key and CA certificate pair

openssl genrsa -des3 -out ca.key 4096

C:\OpenSSL-Win32\bin>openssl genrsa -des3 -out ca.key 4096
Loading 'screen' into random state - done
Generating RSA private key, 4096 bit long modulus
................................................................................
........++
................................................................................
................................................................................
............................++
e is 65537 (0x10001)
Enter pass phrase for ca.key:MyRandomPassword
Verifying - Enter pass phrase for ca.key:MyRandomPassword

openssl req -new -x509 -days 3650 -key ca.key -out ca.crt

Enter pass phrase for ca.key:MyRandomPassword
Loading 'screen' into random state - done
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:MyState
Locality Name (eg, city) []:MyCity
Organization Name (eg, company) [Internet Widgits Pty Ltd]:MyCompanyName
Inc
Organizational Unit Name (eg, section) []:.
Common Name (e.g. server FQDN or YOUR name) []:myrouter.sn.mynetname.net
Email Address []:myemail@test.com


Now create private-key/certificate pair for the server

openssl genrsa -des3 -out server.key 4096

Loading 'screen' into random state - done
Generating RSA private key, 4096 bit long modulus
................................................................................
................................................................................
....................................++
................................................................................
.............++
e is 65537 (0x10001)
Enter pass phrase for server.key:MyRandomPassword
Verifying - Enter pass phrase for server.key:MyRandomPassword


openssl req -new -key server.key -out server.csr
Enter pass phrase for server.key:
Loading 'screen' into random state - done
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:MyState
Locality Name (eg, city) []:MyCity
Organization Name (eg, company) [Internet Widgits Pty Ltd]:MyCompanyName
Inc
Organizational Unit Name (eg, section) []:.
Common Name (e.g. server FQDN or YOUR name) []:myrouter.sn.mynetname.net
Email Address []:myemail@test.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:



openssl x509 -req -days 3650 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt


Loading 'screen' into random state - done
Signature ok
subject=/C=US/ST=MyState/L=MyCity/O=MyCompanyName/CN=myrouter.sn.mynetname.net/emailAddress=myemail@test.com..
Getting CA Private Key
Enter pass phrase for ca.key:MyRandomPassword



Client key/certificate pair creation steps are very similar to server. Remember to Specify unique CN.



openssl genrsa -des3 -out client.key 4096

Loading 'screen' into random state - done
Generating RSA private key, 4096 bit long modulus
................++
................................................................................
...............................++
e is 65537 (0x10001)
Enter pass phrase for client.key:MyRandomPassword
Verifying - Enter pass phrase for client.key:MyRandomPassword


openssl req -new -key client.key -out client.csr

Enter pass phrase for client.key:MyRandomPassword
Loading 'screen' into random state - done
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:MyState
Locality Name (eg, city) []:MyCity
Organization Name (eg, company) [Internet Widgits Pty Ltd]:MyCompanyName
Inc
Organizational Unit Name (eg, section) []:.
Common Name (e.g. server FQDN or YOUR name) []:myrouter.sn.mynetname.net
Email Address []:myemail@test.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:MyRandomPassword
An optional company name []:




openssl x509 -req -days 3650 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt

Loading 'screen' into random state - done
Signature ok
subject=/C=US/ST=MyState/L=MyCity/O=MyCompanyName/CN=myrouter.sn.mynetname.net/emailAddress=myemail@test.com..
Getting CA Private Key
Enter pass phrase for ca.key:MyRandomPassword




To examine certificate run following command:

openssl x509 -noout -text -in server.crt -purpose

Certificate:
Data:
Version: 1 (0x0)
Serial Number: 1 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, ST=MyState, L=MyCity, O=MyCompanyName, CN=
myrouter.sn.mynetname.net/emailAddress=myemail@test.com..
Validity
Not Before: Feb 24 15:45:52 2015 GMT
Not After : Feb 21 15:45:52 2025 GMT
Subject: C=US, ST=MyState, L=MyCity, O=MyCompanyName, CN
=myrouter.sn.mynetname.net/emailAddress=myemail@test.com..
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:c8:e1:88:50:0d:81:d0:8f:11:4b:58:0a:98:1a:
b2:e6:92:40:61:b7:db:e5:b4:0e:f4:24:41:2b:fc:
fb:70:0c:c4:87:d1:7c:8f:d3:95:47:ec:ca:24:1c:
c9:f0:3f:04:70:ae:6f:51:b1:fd:a9:7d:6a:08:14:
9f:86:3b:65:ae:79:a8:81:42:40:06:b6:fe:dc:ba:
01:11:89:c0:0a:09:0d:16:b7:02:98:b0:76:d4:86:
09:83:82:6f:dd:8c:56:93:b5:e5:2c:88:d1:a7:1d:
1b:9a:46:88:f7:4b:2e:68:c9:37:90:90:b9:74:f8:
f9:91:43:e0:6a:08:20:77:bc:04:cc:2f:85:27:b6:
c6:84:22:78:f0:f7:c3:a1:51:d8:94:28:61:9b:2f:
9a:a9:23:61:50:9d:bb:31:c2:a5:b8:bb:b8:0c:53:
3a:64:35:35:32:6c:49:b4:e9:7c:b5:ae:46:a1:c6:
af:09:c1:03:8e:4d:cb:81:29:8f:61:b6:9f:0f:b3:
0e:a0:ce:b3:59:9a4f:ba:68:74:c9:6b:72:c0:
93:19:71:82:d8:36:ae:15:18:af:7d:80:0b:25:20:
57:dc:2b:6d:63:d6:2c:e2:5b:50:ec:e6:08:49:cc:
36:e1:44:02:72:b3:09:b7:7c:34:7f:c2:80:74:98:
193c:5b:f9:02:fd:34:a7:00:be:9c:37:08:3b:
57:e0:75:0a:e6:7e:18:76:27:08:52:e7:e1:4e:4f:
7f:6c:32:8d:4c:1b:bc:7b:62:8c:c3:8d:e6:dd:ba:
b1:3d:60:41:93:c6:10:7d:df:26:ff:6f:13:32:ff:
4e:c0:9b:5d:97:94:8f:4c:bd:87:d1:e6:1f:56:12:
da:f1:2b:9a:a6:fb:14:7b:f5:c4:78:ed:40:51:0b:
79:bf:69:e3:ea:08:3f:5c:19:02:61:0a:c9:03:a5:
0b:0e:ea:0d:7f:7f:b2:95:a0:25:66:ee:b8:cc:9b:
64:03:be:4e:86:3e:58:a5:6e:8b:7d:51:c6:42:fc:
7c:50:e9:29:7b:33:d8:84:86:12:ae:47:b636:
6b:18:41:1b:1f:74:a2:9b:84:5f:51:18:32:d8:f7:
39:14:a1:fb:f6:13:01:33:7e:36:51:cb:d5:b0:52:
a4:1f:9a:8a:af:93:7e:da:6c:c4:bc:e0:3a:e4:ba:
52:3d:58:3c:d9:da:42:b8:07:00:27:23:1b:8f:d7:
93:8e:d3:91:69:42:f3:2d:8c:bc:88:4f:9f:9f:1e:
35:bf:85:7f:a2:bd:46:da:21:58:bd:20:48:a1:64:
54:1d:1b:c9:04:c0:a4:a7:bc:fd:68:0b:ae:4f:60:
ea:3a:89
Exponent: 65537 (0x10001)
Signature Algorithm: sha1WithRSAEncryption
82:b4:90:59:bb:e5:fe:11:d6:fe:0c:00:13:c0:80:01:d3
6e:99:89:07:ac:7f:83:ea:b9:49:4b:d4:ee:23:81:15:33:f5:
f4:ae:1d:5f:b0:ba65:41:99:ae:f9:2a:6b:9d:d2:e5:dd:
a9:21:0f:59:e5:dd:da:4d:d0:48:77:e8:ce:8e:3f:9a:dc:74:
27:938f:6c:7b:f3:cf:7c:77:42:ac:b4a7:31:4d:88:
7e:84:ad:62:24:64:90:4a:c6:a7:f9:d3:f2:02:e0:9e:0f:b2:
a1:39:45:ad:d8:11:13:39:a1:35:aa:56:3e:af:38:8e:f3:e1:
38:63:3b80:c4:69:21:a5:ad:e7:76:fa:9a:3c:d3:d2:fd:
60:6b:12:ac:b9:19:a1:fc:a1:56:fb:bd:b2:a9:bd:c3:02:c0:
a2:4e:45:a4:b2:3d:28:2f:66:76:06:a6:4d:d4:b9:e6:93:c6:
e8:4f:1d:8e:13:1b:c7ce:13:39:d7:4c:c8:a3:f1:c3:3e:
9f:69:ad:15:b0:84:a3:e8:15:cb:e4:f4:0b:34:c4:26:0c:52:
e7:2f:06:2a:17:7f:14:2f:f2:28:f7:89:5a:d419:ad:17:
0e:84:c1:ef:e0:d7:0b:13:78:92:41:1cfe:d8:bc:c1:10:
84:1e:be:86:db:a5:32:7c:7c:dc:8d:66:a2:5e:1b:ed:2a:a6:
11:23:34:26:93:1c:78:fb:62:b7:f8:bb:9c:9f:6c:76:34:d7:
87:75:be:2c:25:82:2f:15:4b:39:6c:7e:bf:b6:4e:9d:e8:d1:
da:9d:c7:42:dc:63:91:06:14:92:c5:f7:ad:e6:ca:3b:f9:fa:
44:e5:4e:48:c8:48:aa:19:5c:20:31:b2:b2:8b:8b:89:c3:5f:
85:df:57:1a:c7:fe:3a:18:63:b4:88:1b:00:c7:45:62:65:f7:
1b:63:1a:6a:11:a5:1f:3f:ef:c0:c1:bb:c1:34:6e:e8:a2:23:
0c:e6:4b:bf:c8:4d:74:83:c6:2d:b7:f5:06:c4:52:ec:11:a8:
b7:fa:d4:cc:61:3c:8d:31:33:cc:b2:bf:4e:dc:f8:ef:16:79:
c3:33:08:04d9:75:3b:47:62:c6:74:e3:4d:8f:86:b5:40:
33:23:9b:43:95:88:30:55:8d:94:992e:ce:bf:11:56:a8:
e5:a3:b6:b8:b9:76:81:b5:8b:76:4d:86:0a:84:f5:e5:c7:94:
30:04:ac:45:29:21:44:92:87:24:96:b1b7:71:e0:38:39:
f1:ed:66:23:8c:db:76:c8:4a:13:30:fe:f4:e9:23:8e:82:c4:
31:1c:fa:23:57:ec:35:bc
Certificate purposes:
SSL client : Yes
SSL client CA : Yes (WARNING code=3)
SSL server : Yes
SSL server CA : Yes (WARNING code=3)
Netscape SSL server : Yes
Netscape SSL server CA : Yes (WARNING code=3)
S/MIME signing : Yes
S/MIME signing CA : Yes (WARNING code=3)
S/MIME encryption : Yes
S/MIME encryption CA : Yes (WARNING code=3)
CRL signing : Yes
CRL signing CA : Yes (WARNING code=3)
Any Purpose : Yes
Any Purpose CA : Yes
OCSP helper : Yes
OCSP helper CA : Yes (WARNING code=3)
Time Stamp signing : No
Time Stamp signing CA : Yes (WARNING code=3)


Copy the ca.crt, server.crt and server.key to the root of the Mikrotik by opening "Files" in Winbox and dragging them from C:\OpenSSL-Win32\bin\


/certificate import file-name=ca.crt
passphrase: MyRandomPassword
/certificate import file-name=server.crt
passphrase: MyRandomPassword
/certificate import file-name=server.key
passphrase: MyRandomPassword


/interface sstp-server server set certificate=server
/interface sstp-server server set enabled=yes
/interface sstp-server server set authentication=mschap2 enabled=yes port=444

/ppp secret
add local-address=10.2.2.1 name=user2 password=password12 remote-address=10.100.100.2 service=sstp
add local-address=10.2.2.1 name=user3 password=password12 remote-address=10.100.100.3 service=sstp


/interface ethernet set ether24 arp=proxy-arp comment="Must be internal gateway interface - Allow ping from SSTP"


On Windows 7 Client go to Control Panel > Intenet Options > Content > Certificates >
Trusted Root Certificate Autorities > Import
- Select C:\OpenSSL-Win32\bin\client.crt

Create new VPN connection, go
Enter myrouter.sn.mynetname.net:444 for the host name.
Security Tab Change Type of VPN to SSTP

On Windows 7 Client go to Control Panel > Intenet Options > Content > Certificates >
Trusted Root Certificate Autorities > Import
- Select C:\OpenSSL-Win32\bin\client.crt

You maybe want to import in the "Trusted Root Certificate Autorities" the ca.crt.
Then you import the client.crt + client.key in the "Personal"